nucleardog
/
cross-account-snapshots
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

license and readme

master
Adam Pippin 4 years ago
parent
ea0e810c4b
commit
95e610a1ab
2 changed files with 133 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      LICENSE.md
  2. 132
      README.md

1
LICENSE.md
View File

@ -0,0 +1 @@
Proprietary

132
README.md
View File

@ -0,0 +1,132 @@
# Cross Account Snapshots
Two lambdas:
* One to share all snapshots of a volume with a target account.
* One to copy all snapshots shared with an account into the local account.
## Source Account Setup
The volume you want to manage must be encrypted with a customer managed key,
not the default KMS key.
### Lambda
Create a lambda containing `share_snapshots.py`.
Adjust:
* `VOLUME_ID` to the volume id you want to share the snapshots of
* `TARGET_ACCOUNT` to the AWS account ID of the target account you want to
share with
### IAM
Attach the following IAM policy to the role you set up for your lambda,
replacing the `ca-central-1` region with the region you want to manage.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowModifySnapshotAttribute",
"Effect": "Allow",
"Action": "ec2:ModifySnapshotAttribute",
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
},
{
"Sid": "AllowManageSnapshots",
"Effect": "Allow",
"Action": [
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}
]
}
### KMS
In the AWS console, navigate to your KMS key and scroll down to the "Other AWS Accounts"
section. Add your target account by id.
## Target Account Setup
### Lambda
Create a lambda containing `clone_snapshots_locally.py`.
Adjust:
* `SOURCE_ACCOUNT` the source account's id
* `TARGET_ACCOUNT` your target account's id
* `KMS_KEYS` a dictionary mapping a source account KMS key arn to a KMS key arn in
your target account, specifying which key to reencrypt the snapshot with when
copying
* `RETENTION` a dictionary mapping strings in the description field to a number of
seconds to retain a snapshot after it has been detected that it was deleted
* `REGION` the region the source account's snapshots are located in
### IAM
Attach the following IAM policy to allow managing snapshots, replacing `ca-central-1`
with the region you want to manage.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCopyAndDelete",
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "arn:aws:ec2:ca-central-1::snapshot/*"
},
{
"Sid": "AllowReadAndTag",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}
]
}
Add the following IAM policy to allow use of the shared KMS key from the source account,
replacing the resource arn with the arn of your source account's key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": [
"arn:aws:kms:ca-central-1:987698769876:key/abcd-abcd-abcd"
]
}
]
}
## Test
1. Run the lambda in your source account, it should output that it has shared several snapshots.
2. Run the lambda in your target account, it should output that it has copied several snapshots.
## Run Automatically
Set up CloudWatch Events triggers to run your lambdas on a schedule.
Write Preview
Loading…
Cancel
Save